Exploits for Android Binder bug CVE-2020-0041# CVE-2020-0041
This repository contains code for exploiting CVE-2020-0041, a bug we reported to Google in Decmeber 2019 and was fixed in the Android Security Bulletin from March 2020.
You can find the sandbox escape exploit in [sandbox/](sandbox/). The analysis of the bug and exploitation approach can be found at https://labs.bluefrostsecurity.de/blog/2020/03/31/cve-2020-0041-part-1-sandbox-escape/ .
Similarly, you can find the privilege escalation exploit in [lpe/](lpe/). The exploitation approach for this part can be found at https://labs.bluefrostsecurity.de/blog/2020/04/08/cve-2020-0041-part-2-escalating-to-root/ .
[4.0K] /data/pocs/8b3db2fac0b272074b545d7edc254efb03bb1eab
├── [4.0K] lpe
│ ├── [ 314] Android.mk
│ ├── [ 78] Application.mk
│ ├── [4.0K] include
│ │ ├── [4.0K] binder.h
│ │ ├── [ 390] binder_lookup.h
│ │ ├── [ 646] endpoint.h
│ │ ├── [ 206] exploit.h
│ │ ├── [ 257] handle.h
│ │ ├── [ 88] helpers.h
│ │ ├── [ 225] log.h
│ │ ├── [1.3K] node.h
│ │ ├── [ 769] pending_node.h
│ │ ├── [ 303] realloc.h
│ │ └── [ 15K] uapi_binder.h
│ ├── [ 613] Makefile
│ ├── [3.4K] README.md
│ └── [4.0K] src
│ ├── [ 31K] binder.c
│ ├── [ 12K] binder_lookup.c
│ ├── [7.4K] endpoint.c
│ ├── [ 28K] exploit.c
│ ├── [ 462] helpers.c
│ ├── [ 608] log.c
│ ├── [ 13K] node.c
│ ├── [9.9K] pending_node.c
│ └── [5.9K] realloc.c
├── [ 631] README.md
└── [4.0K] sandbox
├── [ 453] index.html
├── [ 97K] main.diff
├── [5.7K] README.md
├── [4.0K] reverse_shell
│ ├── [ 204] Android.mk
│ ├── [ 82] Application.mk
│ ├── [ 659] Makefile
│ └── [4.0K] src
│ └── [ 697] reverse_shell.c
├── [ 814] serve.py
└── [ 954] v8.diff
6 directories, 34 files